Subject: block: hold extra reference to bio in blk_rq_map_user_iov()
From: Jens Axboe <jens.axboe@oracle.com>
Date: Tue Nov 18 15:08:56 2008 +0100:
Git: c26156b2534c75bb3cdedf76f6ad1340971cf5bd

If the size passed in is OK but we end up mapping too many segments,
we call the unmap path directly like from IO completion. But from IO
completion we have an extra reference to the bio, so this error case
goes OOPS when it attempts to free and already free bio.

Fix it by getting an extra reference to the bio before calling the
unmap failure case.

Reported-by: Petr Vandrovec <vandrove@vc.cvut.cz>

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>

---
 block/blk-map.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -202,6 +202,12 @@ int blk_rq_map_user_iov(struct request_q
 		return PTR_ERR(bio);
 
 	if (bio->bi_size != len) {
+		/*
+		 * Grab an extra reference to this bio, as bio_unmap_user()
+		 * expects to be able to drop it twice as it happens on the
+		 * normal IO completion path
+		 */
+		bio_get(bio);
 		bio_endio(bio, 0);
 		bio_unmap_user(bio);
 		return -EINVAL;